Category: Online Security

Six years after the infamous raid on The Pirate Bay (TBP)’s servers in Stockholm, the Swedish Police (aided by two noted anti piracy prosecutors Frederick Ingblad and Henrik Rasmusson) have decided to go on a secret snooping adventure around TPB’s servers with the required warrants and other paraphernalia. There is just one small catch to this mission; TPB came to know of this and decided to make the “secret” mission, not so secret. Publishing a blog post and letting noted Torrent news site TorrentFreak that this was not a joke, the folks of TPB also told the alleged conspirers that they have many public computers “scattered like diarrhea around the world” and that finding one would probably lead to a nasty surprise because they have put small Easter-eggs in each machine.

While the TPB’s founders are quite nonchalant about the entire affair and are using a reverse scare tactic at the perceived aggressors, it is odd to see warrants against the website that has recently switched from being a .torrent-file heavy website to just a list of magnet links that can easily fit into USB flash drive. Thus even if the police manage to pull down the website, multitudes of clone sites will inevitably pop up across the world.

TPB also staunchly maintains that the site itself does nothing illegal (which is true) and that it is not responsible for its users’ usage of the website and thus they are going to stand ground. In their own words:-

“We’re staying put where we are. We’re going no-where. But we have a message to hollywood [sic], the investigators and the prosecutors: LOL.”

A federal Judge has extended the date to cut off computers affected with the DNSChanger malware from the internet.

DNSChanger is a malware that replaces the default DNS servers of the infected computers with rogue DNS servers which send the victim to websites that steals your information. It is believed that around four million computers were infected by this malware including half of all Fortune 500 companies and Government agencies.

As we had previously reported, the crackdown on DNSChanger malware was part of an FBI Operation called Operation Ghost Click which resulted in the arrest of six Estonian men who were thought to be behind the creation of malware.

FBI has been trying to help the affected users by replacing the rogue servers with temporary servers to keep them connected to the internet. And, so far, they have replaced around 100 Command and Control Centers in the US, since then, according to Computer World.

[…] the FBI seized more than 100 command-and-control (C&C) servers hosted at U.S. data centers. To replace those servers, a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software.

Without the server substitutions, DNS Changer-infected systems would have been immediately severed from the Internet.

Previously, the Southern District of New York Court had order the US Government to take down the temporary servers, that had replaced the rogue servers by March 8. Now, that deadline has been extended to July 9 to give the law enforcement officials some more time to the respective ISPs to help clean their customer’s PCs.

The work done by the law enforcement agencies and the ISPs have indeed reduced the number of affected users, according to a report by a security firm, IID. But still there are thousands of users who are still affected by the malware and will be cut off from the internet in four months, if proper action is not taken.

To check whether you system is infected by DNSChanger, you can use this free tool provided by Quick Heal.

Adobe has released an update to its Adobe Flash and Shockwave Player, as there were critical vulnerabilities found in both the products. The vulnerabilities were found by two Google’s security team members and reported the same to the Adobe.

According to the advisory from Adobe, Google’s Tavis Ormandy and Fermin J. Serna found the integer error and a memory corruption vulnerability, which could have been used by hackers to take advantage of it and completely control the computers that are affected by it.

Adobe has rated these vulnerabilities as “critical,” and has fixed the bugs with an update for Windows, Mac, Linux and Solaris OS users. The update comes with the priority rating 2, and urges users to apply the update within the next 30 days. According to the definition of “Priority 2″ given by Adobe, the update completely resolves the issues that caused the product to pose significant risk, and currently there no known exploits.

The two vulnerabilities found are –

CVE-2012-0768 is a memory corruption vulnerability that could lead to remote code execution by exploiting a flaw in Matrix3D.

CVE-2012-0769 is an information disclosure vulnerability as a result of integer errors in Flash Player.

Vulnerabilities are rated “critical” when the product poses a risk to the user’s computer, and if it is exploited, it would allow hackers to run malicious native-code to execute on the user’s system without the users being aware of.

The vulnerability is addressed to Adobe Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x.

Adobe recommends users of Flash Player 11.1.102.62 and earlier versions to update to Flash Player 11.1.102.63, and users of Flash Player 11.1.115.6 and earlier versions on Android 4.x, should update to Flash Player 11.1.115.7. Android 3.x users are asked to update the Flash Player on their device to Flash Player 11.1.111.7.

Windows users can check the current version of the Adobe Flash Player installed on their system by right-clicking on any Flash content. The version details will be displayed at the bottom of the menu. Android users on the other hand can go to Settings > Applications > Manage Applications > Adobe Flash Player x.x to check the current running version.

Download the latest Adobe Flash Player 11.1.102.63 from here. Android users can download the latest version from the Android Marketplace from here.

The leaders of the United States of America are probably quite a confused lot. First one legislative body drafts up bill after bill that curtails privacy and free speech on the Internet, while the White House issues corporate ‘guidelines’ that increase consumer’s rights to privacy as well as asking the companies to provide opt-out clauses for data collection and analysis.

The Consumer Privacy Bill of Rights applies comprehensive, globally recognized Fair Information Practice Principles (FIPPs) to the interactive and highly interconnected environment in which we live and work today. Specifically, it provides for:

− Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. − Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. − Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. − Security: Consumers have a right to secure and responsible handling of personal data. − Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. − Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. − Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Personally, it is finally good to see some progress in the line of cyber laws and rights. That too from the country that proposed SOPA and PIPA. What do you guys think?

Strategic Forecasting Inc. (STRATFOR) is a company started in 1996 providing “global intelligence” services. This means that they provide what is known as “subscription-based provider of geopolitical analysis”. More importantly, according to Wikileaks, they provide “confidential intelligence analysis” to some big shot companies such as Lockheed Martin, Northrop Grumman, the US Dept. of Homeland Security and Dow Chemicals of the Union Carbide ill-repute.

Today, Wikileaks went live with staggered posts of over five thousand emails from STRATFOR, much of which has to do with the company’s attempt to show “privileged information about the US government’s attacks against Julian Assange and WikiLeaks and Stratfor’s own attempts to subvert WikiLeaks”, as stated by RWW. Many of these emails also show how STRATFOR has engaged in malpractice in the name of security consulting:-

There are more than 4,000 emails mentioning WikiLeaks or Julian Assange. The emails also expose the revolving door that operates in private intelligence companies in the United States. Government and diplomatic sources from around the world give Stratfor advance knowledge of global politics and events in exchange for money. The Global Intelligence Files exposes how Stratfor has recruited a global network of informants who are paid via Swiss banks accounts and pre-paid credit cards. Stratfor has a mix of covert and overt informants, which includes government employees, embassy staff and journalists around the world.The material shows how a private intelligence agency works, and how they target individuals for their corporate and government clients.

For example, Stratfor monitored and analysed the online activities of Bhopal activists, including the “Yes Men”, for the US chemical giant Dow Chemical. The activists seek redress for the 1984 Dow Chemical/Union Carbide gas disaster in Bhopal, India. The disaster led to thousands of deaths, injuries in more than half a million people, and lasting environmental damage.

Phishing is a popular method of social engineering employed by scammers. A scammer posing as someone else uses popular communication medium such as email or telephone to contact a victim and request confidential information. This information is used for purposes such as withdrawing money illegally from the victim’s account or even identity thefts.

Identifying a phishing email is easy if you keep in mind certain basic fine points. I will be explaining these points with the help of an old phishing mail that circulated around 2007.

1. Generic Salutation – Phishing emails usually begin with ‘Dear User’ or ‘Dear sir/madam’ rather than specific salutation used in legitimate important mails.

2. Time frame – Usually, a sense of urgency is portrayed in phishing emails in order to make the victim anxious so that he acts in haste.

3. Threat – A threat is generally associated with the time frame so that as mentioned above, the victim is forced to act in haste. Usual threats include cancellation of accounts, charging of credit cards etc.

4. Suspicious links/Request for confidential information – While some phishing mails ask the victim to reply with certain information such as credit card numbers or PIN, others provide a web page where the victim can enter this information.

If the email asks you to reply with your password or any other sort of confidential information, you can be absolutely sure that it is a phishing mail. No company will ever ask you to send your password or credit card number by email.

In case of email with links, see if the link is pointing to the location which it is supposed to. Phishers usually use a text which looks like a URL which is linked to a phishing page. For example, it will look like google.com, but it will be pointing to some other webpage. If you hover your mouse over the link, your browser will display the actual hyperlink.

You can also use a link scanner extension with your browser for extra security. I use the link scanner from Virus Total called VTChromizer. You just have to right click the link and select ‘Scan with Virus Total’. You can also use scanners from AVG, McAfee etc.

5. Poor language– Most probably, authors of phishing emails might not be someone you could depict as masters of the English language. So, there might be grammatical, punctuation and spelling mistakes. Although it is not necessary that every phishing email will have mistakes, most of them that I have seen was not perfect on the language side.

Another equally important way to fight phishing is to make sure that the email came from the right source. If you get an email from Amazon, check whether it came from something like no-reply@amazon.com rather than something like [email protected]

All of today’s major email providers have spam filters that will detect phishing mails and all major browsers have anti-phishing features, such as, the ‘Smart Screen’ for IE9 which can effectively protect you from phishing attempts. And now, with these simple tips, you can hopefully detect those one or two phishing mails that sneak into your inbox.

Earlier this month, Symantec released patches for its PCAnywhere program, saying the patches would protect its users from hackers who have gotten control of PCAnywhere source codes. These were critical patches for Windows versions of PCAnywhere. With these patches, Symantec also admitted that some of its source code was stolen back in 2006, and it was being contacted by the Lords of Dharmaraja (a hacker group) over these stolen codes.

While the patches released by Symantec fixed known vulnerabilities, there could still be some unknown vulnerabilities, which were unpatched.

Symantec claims that the Anonymous interacted with the FBI in its negotiations, but it is unclear whom they really contacted. Some speculate it is Symantec, and they are using the FBI story as a cover up. On the other hand, the hackers have released 1.27 GB of data this Monday, and claim that there is more.

An interesting part of the conversation between Symantec and hackers reads,

We cannot pay you $50,000 at once for the reasons we discussed previously. We can pay you $2,500 per month for the first three months. In exchange, you will make a public statement on behalf of your group that you lied about the hack (as you previously stated). Once that’s done, we will pay the rest of the $50,000 to your account and you can take it all out at once. That should solve your problem. Obviously you still have our code so if we don’t follow through you still have the upper hand.

When Symantec tried to play the hacker Yama Tough, who claims to have the code, he got impatient and released the code online on 6 February. After analyzing the leaked code, Symantec has declared that it is a five-year-old code and its patches are enough to keep users safe. However, these source code leaks are unacceptable from a company that deals in security.

Last September, Microsoft and the Kaspersky Labs claimed a big win on the Kelihos botnet, when they took control of the infected computers. Kelihos was sending 4 billion spam messages a day, and it covers all kinds of spam including pharmaceuticals and stocks. Researchers devised an interesting mechanism to direct all the infected computers to communicate with a “sinkhole” or a computer they controlled. In spite of these stringent measures, Kelihos has started showing its face again, and very soon, its owners might regain control.

Not only has Kelihos started showing back on the radar, it is using new encryption techniques to hide its communications. A researcher at Kaspersky has also noted that two different RSA keys are being used; indicating that there might be two different groups controlling Kelihos.

Although researchers can install updates or clean up the infected computers, it is against the law in many geographical regions. A few days ago, Microsoft named Andrey N. Sabelnikov, a Russian citizen, guilty of running Kelihos. However, Russia does not allow extradition of its citizen, and he cannot be brought to a trial. Kaspersky Securelist investigated into the matter, revealing some interesting facts, like

Our investigation revealed that the new version appeared as early as September 28, right after Microsoft and Kaspersky Lab announced the neutralization of the original Hlux/Kelihos botnet.

Clearly, shutting down the Kelihos botnet will be a big challenge, and it will be interesting to see how far Microsoft and Kaspersky go in this case.

The scourges that are the United States’ two gagging Acts – the Stop Online Privacy Act (SOPA) and the PROTECT IP Act (PIPA) – are experiencing grave turmoil as large sections of the widely used Internet are blacking out for one day in protest against their draconian nature. The ongoing protest against the Bills intensified as Wikipedia, a veritable behemoth on the Internet, joined in the protest as we mentioned earlier. Following close on its heels is the giant community link aggregation website Reddit as well as the website of indie game maker Mojang, the creators of Minecraft. Many other gaming company heads joined together to stand against the draconian law’s enactment.

If passed, the Bills will allow any legal entity that claims copyright infringement on a site to take it down completely, instead of the offending article. For example, if Techie Buzz published an article containing a copyrighted image from a leading record label’s website, our blog will be taken down immediately, without trial. This is even if we give the due credit where it is due.

In short, this is a gagging order for much of the Internet in the name of protecting intellectual property rights. Moreover, the website that is the intended target of this – torrent aggregator The Pirate Bay – is immune to the United States’ laws since it does not fall under America’s jurisdiction.

If allowed to pass, SOPA/PIPA will destroy the beautiful and open Internet completely and irreversibly. In a few minutes Reddit will black out in protest. If you reside in the USA, send a letter to your local representative against passing these Bills. Do your part for retaining the Free Internet!

Symantec has now retracted its previous statement that the security breach which led to the leak of source codes of their older security products happened at a third part server, reports Reuters.

In a statement made to Reuters, spokesperson of Symantec, Cris Paden confirmed that the data breach occurred at the networks of Symantec in 2006.

“We really had to dig way back to find out that this was actually part of a source code theft. We are still investigating exactly how it was stolen”, he said.

Previously, it was assumed that the breach had occurred at a server of Indian Government. He also revealed that source code of Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere were also obtained by the hackers. Symantec in their earlier statement had said that the source code of Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 were the ones that leaked.

A few days ago, ‘Yama Tough’ who is acting as the spokesman of the hacking group Lords of Dharmaraja (who took the responsibility of breaching) tweeted that they will be releasing the code of pcAnywhere to the black hat community so that they can exploit its users using zero day vulnerabilities. They had also threatened of releasing the source code of Norton to the public, but backed out at the last moment tweeting,

We’ve decided not to release code to the public until we get full of it =) 1st we’ll own evrthn we can by 0din’ the sym code & pour mayhem

Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.

Symantec is still reiterating that the code leaked is old and there isn’t a huge risk for its customers provided that they are using the latest versions. But as long as they didn’t write the source codes of their latest products from scratch, there are chances that at least part of the leaked source code is still used. The leak however will be a great advantage for competing security product vendors to understand the working of the Symantec products and use it to improve their own products.